SRX

Hi All

I have a dynamic VPN configuration, and I can connect to my computer but can't access the internet, what's wrong?

Thanks,

my configuration

set security ike policy ike_pol_wizard_dyn_vpn mode aggressive
set security ike policy ike_pol_wizard_dyn_vpn proposal-set basic
set security ike policy ike_pol_wizard_dyn_vpn pre-shared-key ascii-text "$9$JdZDH.PTz3/UDCpOBcSoaZj.PfTzF69q.BIRcle"
set security ike gateway gw_wizard_dyn_vpn ike-policy ike_pol_wizard_dyn_vpn
set security ike gateway gw_wizard_dyn_vpn dynamic hostname RXS-SRX300
set security ike gateway gw_wizard_dyn_vpn dynamic connections-limit 50
set security ike gateway gw_wizard_dyn_vpn dynamic ike-user-type group-ike-id
set security ike gateway gw_wizard_dyn_vpn external-interface ge-0/0/0.0
set security ike gateway gw_wizard_dyn_vpn aaa access-profile remote_access_profile
set security ipsec policy ipsec_pol_wizard_dyn_vpn proposal-set basic
set security ipsec vpn wizard_dyn_vpn ike gateway gw_wizard_dyn_vpn
set security ipsec vpn wizard_dyn_vpn ike ipsec-policy ipsec_pol_wizard_dyn_vpn

set security dynamic-vpn access-profile remote_access_profile
set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 192.168.0.0/16
set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 10.10.10.0/24
set security dynamic-vpn clients wizard-dyn-group ipsec-vpn wizard_dyn_vpn
set security dynamic-vpn clients wizard-dyn-group user admin1
set security dynamic-vpn clients wizard-dyn-group user admin2

set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match source-address any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match destination-address any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match application any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn then permit tunnel ipsec-vpn wizard_dyn_vpn

set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.100.0/24
set access address-assignment pool dyn-vpn-address-pool family inet range Range-VPN-Test low 10.10.100.20
set access address-assignment pool dyn-vpn-address-pool family inet range Range-VPN-Test high 10.10.100.254
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 192.168.0.11/32

tech,

Do you mean that you can connect via Pulse from your PC to the SRX and access subnets 192.168.0.0/16 and 10.10.10.0/24 but not the Internet via the Pulse connection?

If you want to reach Internet via the Pulse connection you need to configure a default-route under remote-protected-resource so that this default route in injected to the PC when it connects via DynVPN to the SRX:

set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 0.0.0.0/0

Hi, tech

Do you need more assistance?

I'm having the same issue and I already have the command "set security dynamic-vpn clients all remote-protected-resources 0.0.0.0/0" configured.  I cannot ping even ping 1.1.1.1.

I resolved this issue by using the commands below.  Hopefully this helps someone else out, too.

set security nat source rule-set remote-vpn-nat from zone untrust
set security nat source rule-set remote-vpn-nat to zone untrust
set security nat source rule-set remote-vpn-nat rule vpn-nat match source-address X.X.X.X/X <--- VPN Subnet Here
set security nat source rule-set remote-vpn-nat rule vpn-nat then source-nat interface
set security policies from-zone untrust to-zone untrust policy remote-vpn match source-address any
set security policies from-zone untrust to-zone untrust policy remote-vpn match destination-address any
set security policies from-zone untrust to-zone untrust policy remote-vpn match application any
set security policies from-zone untrust to-zone untrust policy remote-vpn then permit tunnel ipsec-vpn remote-vpn